I didn't want anyone coming back stating "well he probably... which is why metasploit didn't"... Indeed it was annoying for ME to sit through it (which I did). At the end, I did the vid for two reasons: 1) Had to figure out Camtasia 2) Wanted to show others why reliance on any tool is not a good idea.

In the meantime, I created my own "autopwn" program. Does the following

1) Scans the network using parallel hosts - this is to avoid setting off alarms2) uses a combination of NMAP's version3) Takes all the output from all parallel hosts and uploads them to a central location. Parses out all the data uniquely4) Takes the parsed out data and scours for the maximum rated exploit against the version5) Runs along using wget to download the exploit in a directory named after the target

On 4, I like to avoid being noisy, so instead of running inconsistent exploits against say IIS, what I do *sometimes* is install the exact version if I can find it, then test against my version. This allows me to get a higher percentage rate of a working exploit against the machine I'm testing

On my fuzzbox setup, I don't have it down to a science yet but am working on it. My goal isn't point and click fire and forget more like a "Laser Guided Missile" approach. I truly believe in trying to be as inconspicuous as possible when I can so many of the tools are run from typical command line Linux and BSD VM images. When I use nmap of HPING my timing variables are LOOOOONG to avoid tripping up IDS's, e.g., each port can sometimes take up to 1-2 minutes which is why I use multiple machines and many-a-decoys. I also tend to aim for busy traffic times (business hours) to get "lost in the sauce" I don't know... I just try to think about it from the following perspective... "If I was a network assassin, how would I work without leaving a trace and being as effective as possible." This makes me think of countering myself at the same time... "What would I do if someone did this to me..."

While CANVAS is definitely an awesome tool, it's another one of those, like Core Impact, that simply falls outside my price range for many smaller gigs, so I only have $$ for it, when I know I've got larger jobs lined up.

What gets me uptight (sorry... <rant on>)is all the attention Core gets, etc, when you then see the folks FROM Core, offering pentesting services as low as a few thousand $$. So let's see... A pentester in the field MIGHT be able to compete with Core's services, except that it costs the pentester more $$ for a quarterly license to Core than it costs someone to hire Core in to DO a pentest... I think they lost their marketing sense somewhere along the line...<rant off> I've already lost out on a few gigs where Core would've come in handy, because they offer their own services so low, it wasn't cost effective for me to even continue to bid on the gig...

So sil, if you start creating tools, and putting them out there 'affordably,' you might be able to make some serious $$, from those who are sick of paying over the top $$ for minimal licenses to the commercial products. <hint hint>

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I was actually trying to get marketing staff to understand the problems with XSS + ARP spoofing. So I thought of a minimalist example of what could occur on teh Interwebs. MITM host --> pretend to be something you're not (in this video Google), craft an email as a potential client: "What is this litigation I hear about your company, I'd like to do business but not until I get clarity on this: http://www.SomeBogusCompanyYouCreateOnA ... ollars.com" fire it off. Instamagic reverse. If you know what you're doing, you'll take note that NO errors or warnings popped up and although private address ranges were used, one could leverage an EC2 host, register a domain, go as far as Googlebombing the domain for exposure into the top 10... Fire and forget.

To be concise, this is a valid demo anyone can give on client side attacks. If you *really* want it to be realistic and avoid detection, you can MITM and make the victim's side think that your machine is "WHATEVER.com" for more shock and awe

Anyway, I was bored today, working on material for some presentations I have coming around (client, security, sales) and I thought of a "OMG" spooky method of "you never saw that coming did you... firewall and all". In fact, the Vista machine is using Oracle's DLP (from another thread), has bitdefender, Trend Micro, Snare, etc., nary an alarm. In fact, I could have siphoned anything off my Vista machine onto my FBSD machine without a peep from my DLP application. Thanks Oracle!

Dynamik you get your ISACA results yet... I feel like I'm watching paint dry @ this point

sil wrote:Dynamik you get your ISACA results yet... I feel like I'm watching paint dry @ this point

Paint drying implies progress though...

No, there's a thread on TE with people bitching about it too. Someone called last week and was told that we should be getting the results in a week. My manager called the week before that and was told the same thing. Saturday will be week #9. *sigh*

I'll check out the goods when I'm back home and off of this terrible hotel internet.

There are two things I would like to point out about this demo; first, the SQLite adapter is no longer supported for automation as of 3.4.0, as it hits all sorts of fun bugs when you run more than a few threads. Second, the db_autopwn command is complete trash, the only exception is when you choose a specific set of modules with -m or through port exclusions. We have debated just getting rid of it, but too many people still use it for us to just remove the command. Its definitely due for a rewrite.

If you are looking for an even comparison, I recommend trying Metasploit Express (our commercial product). The exploit engine in Metasploit Express is not based on db_autopwn in any sense; instead, it buckets exploits by reliability, sorts by disclosure date, and orders the attacks to make sure the best exploit is always used first for a particular target. This engine will also leverage OS fingerprints and make sure that only a single attack is launched against a particular service of a particular host at the same time. This results is quick network-wide exploitation, all through a web browser, and with the full power of the Metasploit payloads.

You can get a free 7-day eval of Metasploit Express at the URL below. All proceeds from Metasploit Express directly contribute to the development of the open source Metasploit Framework.

What's going on HD. Thanks for coming around and commenting it's definitely nice for others to see the involvement from other heavyweights in the industry. Now if I can lure out druid, dino and maybe Dave @ Immunity to chime in here from time to time, I'm sure it would inspire others to keep moving forward in their careers, hobbies, etc., as well as continue posting informative stuff

"first, the SQLite adapter is no longer supported for automation as of 3.4.0, as it hits all sorts of fun bugs when you run more than a few threads." That's definitely good to know. I wish you guys threw in a timer of sorts (sleep N) after each attempt. The option would allow for keeping covertness. Worry little I can use sleep as is, just saying. Maybe I will do a quick and dirty write up when I have time on how to mimick this effect (say Canvas' covertness, effect) with Metasploit

"Second, the db_autopwn command is complete trash but too many people still use it for us to just remove the command. Its definitely due for a rewrite." It's good for the low hanging fruit but I wouldn't rely on it. For the sake of the video, it was the easiest mechanism to get a point across. With this said, I feel like the video is tainted so I will re-do it using both community metasploit and metasploit express using targetted attacks instead. "I recommend trying Metasploit Express (our commercial product)." Going to give it a whirl in a bit and repost.

NOTE : The initial video was and is not meant to pit two tool as "one being better than the other" in fact on the contrary. The video was and is meant to show the reliance on specific tools in this industry is a no-no. For example, in the Rage Against the Vista Machine (http://www.infiltrated.net/Rage-Against ... a-Machine/) video, the Social Engineering Toolkit (using Metasploit as a backend) was able to do some trickery to compromise a Vista machine whereas Canvas doesn't have "that many" clientsides. I will state though, the clientsides on Canvas are "extreme" in every since of the word as is Cloudburst.

Awesome! Looking forward to seeing the next video, hopefully we can get db_autopwn rewritten/replaced in the next couple months. Covertness is the least of its problems right now, its simply not reliable.

Express versus Canvas. Express was updated today, my Canvas is lacking - hasn't been updated since early this year (January). I tuned Express down to Normal to use more exploits as "Great" was solely trying about 50 or so attacks against this machine.

dynamik wrote:I actually was but forgot to ask, thanks. Am I missing something though? Didn't you say the system was fully patched? Why was that exploit able to execute successfully?

Snapshot is/isn't your friend. On the initial video, system was/is fully updated. On every reboot, I do it all over each day The particular Windows2K3 machine I use has been used/ abused like the girls at Cat House (http://en.wikipedia.org/wiki/Cathouse:_The_Series). I use it for Pai Mei, learning RCE, testing retarded code and so on. On my initial test fully patched. On snapshots it only updates as far back as *MAYBE* (big maybe here) ... 09 with some patches NOT being applied because they break a lot of things I use on that machine.